Booking.com was reportedly hacked by a US intelligence agency but never told customers

0
23

A hacker working for a US intelligence agency hacked Booking.com’s servers in 2016 and stole user data relating to the Middle East, according to a book released Thursday. The book also says that the online travel agency has decided to keep the incident a secret.

Amsterdam-based Booking.com made the decision after calling the Dutch intelligence service, known as AIVD, to investigate the data breach. On the advice of a legal advisor, the company did not notify the affected customers or the Dutch data protection authority. The reason: Booking.com was not legally obligated to do so because sensitive or financial information could not be accessed.

According to the book, the IT specialists who work for Booking.com told a different story De Machine: In de ban van Booking.com (English translation: The car: under the spell of Booking.com). The authors of the book, three reporters from the Dutch national newspaper NRC, report that the internal name of the breach was “PIN-leak”, because the breach involved stolen PINs from reservations.

The book also says that the person behind the hack had access to thousands of hotel bookings involving Middle Eastern countries including Saudi Arabia, Qatar and the United Arab Emirates. The data disclosed concerned the names of Booking.com customers and their travel plans.

Two months after the breach, US private investigators helped Booking.com’s security department determine that the hacker was an American working for a company holding assignments from the US intelligence services. The authors never determined which agency was behind the intrusion.

Hotel and travel data have long been a highly sought-after commodity among hackers working for nation states. In 2013, an NSA whistleblower revealed “Royal Concierge”, a British GCHQ spy program that tracked bookings at 350 luxury hotels around the world. The spies used the data to identify the hotel where the targets of interest were staying, so that field agents could then plant bugs in their rooms.

In 2014, Kaspersky Labs revealed Dark hotel, a years-long campaign that used hotel Wi-Fi networks to infect targeted guest devices with the goal of gaining access to a company’s sensitive information. The people behind Dark Hotel, likely working on behalf of a nation-state, have shown a particular interest in global political officials and executive-level executives.

Booking.com did not respond to emails seeking comments for this post book preview published Thursday, the authors of The car said a Booking.com rep confirmed that there was unusual activity in 2016, that security staff dealt with the event immediately, and that the company never disclosed it. The rep said that Booking.com had no legal obligation to disclose the breach because no evidence of “actual adverse effects on people’s privacy” was found.

LEAVE A REPLY

Please enter your comment!
Please enter your name here